mailing list archives
Re: nmap: nsock_core.c:294: handle_connect_result: Assertion `0' failed.
From: David Fifield <david () bamsoftware com>
Date: Thu, 30 Apr 2009 17:06:37 -0600
On Thu, Apr 30, 2009 at 09:19:07AM +0200, Fabio wrote:
On Wed, Apr 29, 2009 at 03:29:20PM +0200, Fabio wrote:
When trying to scan some hosts to search for the Conficker virus I get
the following assertion. This is nmap 4.85BETA8 compiled from source on
a SPARC machine under Linux, gcc 4.0.3.
$ ./nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-04-29 15:44 CEST
Strange connect error from 192.168.29.55 (42): Operation now in progress
nmap: nsock_core.c:294: handle_connect_result: Assertion `0' failed.
This is a strange error. Errno 42 is ENOMSG, "No message of desired
type". But perror is printing out the message for EINPROGRESS,
"Operation now in progress". I suppose it is possible for errno and the
error code returned by getsockopt to be different in this part of the
Does this assertion failure happen every time? If so, it would help if
you could send a packet capture created with tcpdump or a similar tool.
The assertion is 100% reproducible with that host. A packet capture
(with tcpdump -vvv) is attached.
Thanks. The packet trace is pretty strange. Here you send the TCP ping
probes, so far so good.
09:29:05.777093 IP (tos 0x0, ttl 56, id 3417, offset 0, flags [none], proto: TCP (6), length: 44) 192.168.29.1.49218 >
192.168.29.55.139: S, cksum 0x5feb (correct), 1691702033:1691702033(0) win 1024 <mss 1460>
09:29:05.777462 IP (tos 0x0, ttl 52, id 4850, offset 0, flags [none], proto: TCP (6), length: 44) 192.168.29.1.49218 >
192.168.29.55.445: S, cksum 0x5eb9 (correct), 1691702033:1691702033(0) win 1024 <mss 1460>
The remote host says that it doesn't understand TCP?
09:29:05.777795 IP (tos 0x0, ttl 128, id 25678, offset 0, flags [none], proto: ICMP (1), length: 56) 192.168.29.55 >
192.168.29.1: ICMP 192.168.29.55 protocol 6 unreachable, length 36
Then the scanning machine sends back another TCP packet, this time with
IP (tos 0x0, ttl 56, id 3417, offset 0, flags [none], proto: TCP (6), length: 44) 192.168.29.1.49218 >
192.168.29.55.139: tcp 24 [bad hdr length 0 - too short, < 20]
What is the operating system of 192.168.29.55? Is there anything special
about the scanning SPARC machine? Has anyone seen traffic like that and
can provide an explanation?
I guess the ENOMSG is caused by the "protocol 6 unreachable" replies.
Can you try the attached patch and see if it fixes the problem?
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org